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Abstract 

A  type  confusion  attack  is  one  in  which  a  principal  ac¬ 
cepts  data  of  one  type  as  data  of  another.  Although  it  has 
been  shown  by  Heather  et  al.  that  there  are  simple  for¬ 
matting  conventions  that  will  guarantee  that  protocols  are 
free  from  simple  type  confusions  in  which  fields  of  one  type 
are  substituted  for  fields  of  another,  it  is  not  clear  how  well 
they  defend  against  more  complex  attacks,  or  against  at¬ 
tacks  arising  from  interaction  with  protocols  that  are  for¬ 
matted  according  to  different  conventions. 

In  this  paper  we  show  how  type  confusion  attacks  can 
arise  in  realistic  situations  even  when  the  types  are  explic¬ 
itly  defined  in  at  least  some  of  the  messages,  using  examples 
from  our  recent  analysis  of  the  Group  Domain  of  Interpreta¬ 
tion  Protocol.  We  then  develop  a  formal  model  of  types  that 
can  capture  potential  ambiguity  of  type  notation,  and  out¬ 
line  a  procedure  for  determining  whether  or  not  the  types  of 
two  messages  can  be  confused.  This  work  extends  our  ear¬ 
lier  work  on  the  subject  in  that  it  includes  an  explicit  model 
of  attacker  and  defender  and  extends  the  informal  model  of 
the  type  confusion  attack  in  terms  of  a  game  between  an  in¬ 
truder  and  a  set  of  honest  principals  in  or  earlier  work  to  a 
more  formal  model  in  which  actions  of  intruder  and  honest 
principals  are  described  explicitly.  This  gives  us  a  simpler, 
more  intuitive  approach  that  allows  us  to  calculate  proba¬ 
bilities  in  a  more  systematic  manner,  and  to  compare  differ¬ 
ent  intruder  strategies  and  different  assumptions  about  the 
way  in  which  the  protocol  is  implemented  in  terms  of  their 
effects  on  type  confusion. 

1  Introduction 

Type  confusion  attacks  arise  when  it  is  possible  to  con¬ 
fuse  a  message,  which  we  will  refer  to  as  the  masquerad¬ 
ing  message,  containing  data  of  one  type  with  a  message, 
which  we  will  refer  to  as  the  spoofed  message,  containing 
data  of  another.  The  most  simple  type  confusion  attacks  are 


ones  in  which  fields  of  one  type  are  confused  with  fields 
of  another  type,  such  as  is  described  in  [9],  but  it  is  also 
possible  to  imagine  attacks  in  which  fields  of  one  type  are 
confused  with  a  concatenation  of  fields  of  another  type,  as 
is  described  by  Snekkenes  in  [12],  or  even  attacks  in  which 
pieces  of  fields  of  one  type  are  confused  with  pieces  of  fields 
of  other  types. 

The  technique  of  tagging  data  with  its  type  has  been 
shown  to  provide  security  against  simple  type  confusion  at¬ 
tacks  involving  the  confusion  of  one  field  with  another  in 
the  Dolev-Yao  model  [5],  and  we  believe  that  these  tech¬ 
niques  could  easily  be  extended  to  more  complex  type  con¬ 
fusion  attacks  (see  [10]  for  a  discussion).  But,  although 
a  tagging  technique  may  work  within  a  single  protocol  in 
which  the  technique  is  followed  for  all  authenticated  mes¬ 
sages,  it  does  not  prevent  type  confusion  of  a  protocol  that 
uses  the  technique  with  a  protocol  that  does  not  use  the  tech¬ 
nique,  but  that  does  use  the  same  authentication  keys.  Since 
it  is  not  uncommon  for  master  keys  (especially  public  keys) 
to  be  used  with  more  than  one  protocol,  it  may  be  necessary 
to  develop  other  means  for  determining  whether  or  not  type 
confusion  is  possible.  In  this  paper  we  explore  these  issues 
further,  and  describe  a  procedure  for  detecting  the  possibil¬ 
ity  of  the  more  complex  varieties  of  type  confusion. 

The  remainder  of  this  paper  is  organized  as  follows.  In 
Section  Two,  in  order  to  motivate  our  work,  we  give  a  brief 
account  of  a  complex  type  confusion  flaw  that  was  recently 
found  during  an  analysis  of  the  Group  Domain  of  Authen¬ 
tication  Protocol,  a  secure  multicast  protocol  being  devel¬ 
oped  by  the  Internet  Engineering  Task  Force.  In  Section 
Three  we  give  a  formal  model  for  the  use  of  types  in  proto¬ 
cols  that  takes  into  account  possible  type  ambiguity.  This  is 
similar  to  an  earlier  one  we  developed  in  [10],  except  that  it 
takes  into  account  the  causal  order  among  message  fields  as 
well  as  the  order  in  which  they  appear  in  a  message.  In  Sec¬ 
tion  Four  we  develop  the  notion  of  a  type  confusion  attack 
as  a  game  between  an  intruder  and  a  set  of  honest  princi¬ 
pals.  We  use  this  notion  of  a  game  to  develop  what  we  call 
the  gap-toothed  zipper,  a  generalization  of  the  zipper  proce- 
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dure  developed  in  [10].  We  show  how  the  gap-toothed  zip¬ 
per  can  be  used  to  compare  different  intruder  strategies  and 
help  determine  whether  or  not  a  successful  strategy  exists. 
In  Section  Five  we  conclude  the  paper  and  give  suggestions 
for  further  research. 

2  The  GDOI  Attack 

In  this  section  we  describe  a  type  flaw  attack  that  was 
found  on  an  early  version  of  the  GDOI  protocol  [2], 

The  Group  Domain  of  Interpretation  protocol  (GDOI), 
is  a  group  key  distribution  protocol  that  is  undergoing  the 
IETF  standardization  process.  It  is  built  on  top  of  the 
ISAKMP  [8]  and  IKE  [4]  protocols  for  key  management, 
which  imposes  some  constraints  on  the  way  in  which  it  is 
formatted.  GDOI  consists  of  two  parts.  In  the  first  part, 
called  the  Groupkey  Pull  Protocol,  a  principal  joins  the 
group  and  gets  a  group  key  encryption  key  from  the  Group 
Controller/Key  Distributor  (GCKS)  in  a  handshake  protocol 
protected  by  a  pairwise  key  that  was  originally  exchanged 
using  IKE.  In  the  second  part,  called  the  Groupkey  Push 
Message,  the  GCKS  sends  out  new  traffic  encryption  keys 
protected  by  the  GCKS's  digital  signature  and  the  key  en¬ 
cryption  key. 

Both  pieces  of  the  protocol  can  make  use  of  digital  sig¬ 
natures.  The  Groupkey  Pull  Protocol  offers  the  option  of  in¬ 
cluding  a  Proof-of-Possession  field,  in  which  either  or  both 
parties  can  prove  possession  of  a  public  key  by  signing  the 
concatenation  of  a  nonce  NA  generated  by  the  group  mem¬ 
ber  and  a  nonce  NB  generated  by  the  GCKS.  This  can  be 
used  to  show  linkage  with  a  certificate  containing  the  public 
key,  and  hence  the  possession  of  any  identity  or  privileges 
stored  in  that  certificate. 

As  for  the  Groupkey  Push  Message,  it  is  first  signed  by 
the  GCKS’s  private  key,  and  then  encrypted  with  the  key 
encryption  key.  The  signed  information  includes  a  header 
HDR,  (  which  is  sent  in  the  clear),  and  contains,  besides  the 
header,  several  different  types  of  message  payload,  and  it 
ends  in  a  Key  Download  Payload  which  will  generally  end 
in  a  random  number  (the  key). 

According  to  the  conventions  of  ISAKMP,  HDR  must 
begin  with  a  random  or  pseudo-random  number.  In  pairwise 
protocols,  this  is  jointly  generated  by  both  parties,  but  in 
GDOI,  since  the  message  must  go  from  one  to  many,  this  is 
not  practical.  Thus  the  number  is  generated  by  the  GCKS. 
Similarly,  it  is  likely  that  the  Key  Download  message  will 
end  in  a  random  number:  a  key.  Thu  it  is  reasonable  to 
assume  that  the  signed  part  of  a  Groupkey  Push  Message 
both  begins  and  ends  in  a  random  number. 

We  found  two  type  confusion  attacks.  In  both,  we  as¬ 
sume  that  the  same  private  key  is  used  by  the  GCKS  to  sign 
POPs  and  Groupkey  Push  Messages.  In  the  first  of  these, 
we  assume  a  dishonest  group  member  who  wants  to  pass 


off  a  signed  POP  from  the  GCKS  as  a  Groupkey  Push  Mes¬ 
sage.  To  do  this,  she  creates  a  fake  plaintext  Groupkey  Push 
Message  GPM,  which  is  missing  only  the  last  (random)  part 
of  the  Key  Download  Payload.  She  then  initiates  an  in¬ 
stance  of  the  Groupkey  Pull  Protocol  with  the  GCKS,  but 
in  place  of  her  nonce,  she  sends  GPM.  The  GCKS  responds 
by  appending  its  nonce  NB  and  signing  it,  to  create  a  signed 
(GPM,NB).  If  NB  is  of  the  right  size,  this  will  look  like  a 
signed  Groupkey  Push  Message.  The  group  member  can 
then  encrypt  it  with  the  key  encryption  key  (which  she  will 
know,  being  a  group  member)  and  send  it  out  to  the  entire 
group. 

The  second  attack  requires  a  few  more  assumptions.  We 
assume  that  there  is  a  group  member  A  who  can  also  act 
as  a  GCKS,  and  that  the  pairwise  key  between  A  and  an¬ 
other  GCKS,  B,  is  stolen,  but  that  B’s  private  key  is  still 
secure.  Suppose  that  A,  acting  as  a  group  member,  initiates 
a  Groupkey  Pull  Protocol  with  B.  Since  their  pairwise  key 
is  stolen,  it  is  possible  for  an  intruder  to  insert  a  fake  nonce 
for  B’s  nonce  NB.  The  nonce  he  inserts  is  a  fake  Groupkey 
Push  Message  GPM’  that  it  is  complete  except  for  a  prefix 
of  the  header  consisting  of  all  or  part  of  the  random  number 
beginning  the  header.  A  then  signs  (NA.GPM’),  which,  if 
NA  is  of  the  right  length,  will  look  like  the  signed  part  of 
a  Groupkey  Push  Message.  The  intruder  can  then  find  out 
the  key  encryption  key  from  the  completed  Groupkey  Pull 
Protocol  and  use  it  to  encrypt  the  resulting  (NA.GPM’)  to 
create  a  convincing  fake  Groupkey  Push  Message. 

A  more  complete  account  of  both  these  attacks  may  be 
found  in  [16]. 

Fortunately  the  fix  was  simple.  Although  GDOI  was 
constrained  by  the  formatting  required  by  ISAKMP,  this 
was  not  the  case  for  the  information  that  was  signed  within 
GDOI.  Thusrrr  the  protocol  was  modified  so  that,  when¬ 
ever  a  message  was  signed  within  GDOI,  information  was 
prepended  saying  what  the  purpose  was  (e.g.  a  member’s 
POP,  or  a  Groupkey  Push  Message).  This  eliminated  the 
type  confusion  attacks. 

There  are  several  things  to  note  here.  The  first  is  that 
existing  protocol  analysis  tools  are  not  very  good  at  find¬ 
ing  these  types  of  attacks.  Most  assume  that  some  sort  of 
strong  typing  is  already  implemented.  Even  when  this  is  not 
the  case,  the  ability  to  handle  the  various  combinations  that 
arise  is  somewhat  limited.  For  example,  we  found  the  sec¬ 
ond,  less  feasible,  attack  automatically  with  the  NRL  Pro¬ 
tocol  Analyzer,  but  the  tool  could  not  have  found  the  first 
attack,  since  the  ability  to  model  it  requires  the  ability  to 
model  the  associativity  of  concatenation,  which  the  NRL 
Protocol  Analyzer  lacks.  Moreover,  type  confusion  attacks 
do  not  require  a  perfect  matching  between  fields  of  differ¬ 
ent  types.  For  example,  in  order  for  the  second  attack  to 
succeed,  it  is  not  necessary  for  NA  to  be  the  same  size  as 
the  random  number  beginning  the  header,  only  that  it  be 


no  longer  than  that  number.  Again,  this  is  something  that 
is  not  within  the  capacity  of  most  crypto  protocol  analy¬ 
sis  tools.  Finally,  most  crypto  protocol  analysis  tools  are 
not  equipped  for  probabilistic  analysis,  so  they  would  not 
be  able  to  find  cases  in  which,  although  type  confusion 
would  not  be  possible  every  time,  it  would  occur  with  a 
high  enough  probability  to  be  a  concern. 

The  other  thing  to  note  is  that,  as  we  said  before,  even 
though  it  is  possible  to  construct  techniques  that  can  be  used 
to  guarantee  that  protocols  will  not  interact  insecurely  with 
other  protocols  that  are  formatted  using  the  same  technique, 
it  does  not  mean  that  they  will  not  interact  insecurely  with 
protocols  that  were  formatted  using  different  techniques,  es¬ 
pecially  if,  in  the  case  of  GDOI’s  use  of  ISAKMP,  the  pro¬ 
tocol  wound  up  being  used  differently  than  it  was  originally 
intended  (for  one-to-many  instead  of  pairwise  communica¬ 
tion).  Indeed,  this  is  the  result  one  would  expect  given  pre¬ 
vious  results  on  protocol  interaction  [7,  1],  Since  it  is  to 
be  expected  that  different  protocols  will  often  use  the  same 
keys,  it  seems  prudent  to  investigate  to  what  extent  an  au¬ 
thenticated  message  from  one  protocol  could  be  confused 
with  an  authenticated  message  from  another,  and  to  what 
extent  this  could  be  exploited  by  a  hostile  intruder.  The  rest 
of  this  paper  will  be  devoted  to  the  discussion  of  a  procedure 
for  doing  so. 

3  The  Model 

3.1  Overview 

In  this  section  we  will  describe  the  model  that  underlies 
our  procedure.  It  is  motivated  by  the  fact  that  different  prin¬ 
cipals  may  have  different  capacities  for  checking  types  of 
messages  and  fields  in  messages.  Some  information,  like 
the  length  of  the  field,  may  be  checkable  by  anybody.  Other 
information,  like  whether  or  not  a  field  is  a  random  number 
generated  by  a  principal,  or  a  secret  key  belonging  to  a  prin¬ 
cipal,  will  only  be  checkable  by  the  principal  who  generated 
the  random  number  in  the  first  case,  and  by  the  possessor(s) 
of  the  secret  key  in  the  second  place.  In  order  to  do  this,  we 
need  to  develop  a  theory  of  types  that  take  differing  capac¬ 
ities  for  checking  types  into  account.  In  Section  3.2  we  set 
forth  our  basic  theory  of  types.  In  Section  3.3  we  show  how 
we  construct  messages  out  of  types. 

3.2  Types 

We  assume  an  environment  consisting  of  principals  who 
possess  information  and  can  check  properties  of  data  based 
on  that  information.  As  in  the  Dolev-Yao  model,  we  assume 
principals  are  either  honest,  in  which  case  they  obey  the 
rules  of  whatever  communication  protocols  are  defined,  or 


dishonest,  in  which  case  they  are  in  league  with  an  intruder 
who  is  trying  to  implement  a  type  confusion  attack. 

Definition  3.1  A  field  is  a  sequence  of  bits.  We  let  i  denote 
the  empty  field.  If  x  and  y  are  two  fields,  we  let  x  \  y  denote 
the  concatenation  of  x  and  y. 

Definition  3.2  A  type  is  a  variable  whose  range  is  a  set  of 
fields,  which  can  include  the  empty  field.  A  probabilistic 
type  is  a  random  variable  whose  range  is  a  set  of  fields.  A 
type  member  choice  is  the  act  of  choosing  a  member  of  a 
type  (  according  to  its  probability  distribution,  if  one  exists) 
by  a  principal  engaging  in  the  protocol.  We  say  that  a  type 
is  under  the  control  of  a  principal  A  if  A  is  the  principal 
who  performs  the  type  member  choice. 

For  the  purposes  of  this  paper,  we  will  assume  that  any 
finite-domain  type  generated  by  a  pseudo-random  number 
generator  (under  which  we  will  include  cryptographic  op¬ 
erations  such  as  encryption,  MACs,  digital  signatures,  etc.) 
that  is  under  the  control  of  an  honest  principal  is  given  a 
uniform  distribution  over  its  domain.  We  do  not  rule  out  as¬ 
signments  of  distributions  that  correspond  more  closely  to 
cryptographic  assumptions,  however,  and  this  is  something 
we  intend  to  investigate  more  closely  in  the  future. 

We  assume  that  each  type  is  under  the  control  of  a  single 
principal  who  may  be  either  an  honest  principal  or  the  in¬ 
truder.  If  a  type  is  under  the  control  of  an  honest  principal, 
it  chooses  a  member  of  that  type  according  to  the  rules  of 
the  protocol.  On  the  other  hand,  there  are  actually  two  ways 
in  which  a  type  can  be  under  the  control  of  the  intruder.  The 
first  way  is  directly.  For  example,  suppose  that  the  intruder 
sends  a  principal  a  nonce  A'/,  and  the  principal  produces  the 
message  Sa{Na,  Nj).  Then  the  value  of  Af  is  directly  con¬ 
trolled  by  the  intruder.  Suppose  on  the  other  hand  that  the 
principal  is  expecting  to  receive  a  message  Sb(Na,  Nb) 
where  all  it  knows  about  Nb  is  that  it  is  length  N .  If  the 
intruder  could  trick  B  into  producing  some  Sb(N a,X)  , 
where  X  is  some  other  term  of  length  N,  then  the  intruder 
would  have  tricked  A  into  accepting  X  as  of  the  same  type 
as  Nb  ■  Here,  the  intruder  may  not  have  complete  control  of 
the  type,  since  it  may  not  be  able  to  trick  B  into  accepting 
all  strings  of  length  N,  but  it  does  have  some  control.  We 
will  say  that  the  type  is  under  indirect  control  of  the  intruder 
in  this  case. 

We  assign  probability  distributions  to  types  according  to 
whose  control  they  are  under,  and  how.  If  a  type  is  under 
the  control  of  an  honest  principal,  then  the  probability  dis¬ 
tribution  is  defined  by  the  rules  of  the  protocol.  If  the  type  is 
under  the  direct  control  of  the  intruder,  then  the  probability 
distribution  is  initially  undefined,  but  will  be  chosen  by  the 
intruder  to  maximize  the  likelyhood  of  a  type  confusion  at¬ 
tack.  If  the  type  is  under  the  indirect  control  of  the  intruder, 
then  no  probability  distribution  is  associated  with  that  type. 


Rather,  the  value  of  the  type  is  determined  by  the  values  of 
the  variables  it  is  being  matched  against  in  a  type  confusion 
attack. 

We  now  consider  what  an  honest  principal  ,4  who  re¬ 
ceives  a  field  x  that  is  supposed  to  be  in  the  domain  of  a 
type  T  is  able  to  tell  about  it.  If  T  is  under  the  control  of 
A  itself,  then  A  will  be  able  to  tell,  not  only  whether  or  x 
belongs  to  T,  but  whether  or  not  x  was  the  value  that  A 
chose.  On  the  other  hand,  if  A  receives  a  field  x  purport¬ 
ing  to  come  from  the  domain  of  a  T  under  the  control  of 
an  intruder,  than  all  ,4  can  tell  is  whether  or  not  x  is  in  the 
domain  of  T. 

The  domain  of  a  type,  from  ,4’s  point  of  view,  will  also 
depend  on  _4’s  own  individual  knowledge.  For  example, 
suppose  that  A  receives  a  MAC  computed  over  a  message 
M.  If  the  MAC  F  is  computed  using  a  key  K  that  A  knows, 
then  A  will  be  able  to  verify  that  the  MAC  was  computed 
over  M  using  K.  If  A  does  not  know  K  then  ,4  will  only  be 
able  to  verify  syntactic  properties  of  F  such  as  the  length. 

This  leads  us  to  the  following  definition. 

Definition  3.3  We  say  that  a  type  T  is  local  to  .4  if  A  is  able 
to  verify  membership  in  the  domain  of  the  type. 

Note  that,  if  a  type  local  to  A  is  also  under  the  control  of 
an  honest  principal  B,  then  A  should  be  able  to  verify,  not 
only  membership  in  the  domain  of  the  type,  but  whether  or 
not  a  member  of  that  type  was  chosen  by  B. 

We  are  now  ready  to  consider  the  roles  that  types  play  in 
a  type  confusion  attack.  Let  M  t  be  a  masquerading  mes¬ 
sage  constructed  by  an  honest  principal  A ,  and  let  M->  be  a 
spoofed  message  expected  by  B.  From  A’s  point  of  view. 
Mi  will  be  constructed  from  the  following  types: 

1 .  types  controlled  by  A, 

corresponding  to  data  that  it  generated  itself; 

2.  types  controlled  by  other  honest  principals, 

corresponding  to  data  it  received  from  other  honest 
principals,  and  whose  origin  and  purpose  it  is  able  to 
verify; 

3.  and  types  directly  controlled  by  the  intruder, 

corresponding  to  data  that  it  received  received  whose 
origin  and  purpose  it  is  unable  to  verify,  either  because 
it  came  from  a  dishonest  principal,  or  because  it  was 
not  authenticated,  or  because  the  authentication  failed. 

On  the  other  hand,  from  B’s  point  of  view  Mo  will  be  con¬ 
structed  from 

1 .  types  controlled  by  B, 

corresponding  to  data  that  it  generated  itself  that  it  is 
expecting  to  see  in  Mo ; 


2.  types  controlled  by  other  honest  principals, 

corresponding  to  data  it  is  expecting  to  see  in  Mo  that 
it  received  from  other  honest  principals  previous  to  re¬ 
ceiving  Mo,  and  whose  origin  and  purpose  it  is  able  to 
verify; 

3.  types  directly  controlled  by  the  intruder, 

corresponding  to  data  it  is  expecting  to  see  in  A  /■_>  that 
it  received  from  elsewhere  previous  to  receiving  Mo, 
but  whose  origin  and  purpose  it  is  unable  to  verify; 

4.  and  types  indirectly  controlled  by  the  intruder, 

corresponding  to  data  that  it  is  seeing  now  for  the  first 
time 

Let  .4  be  an  honest  principal.  Flere  are  some  examples 
of  the  types  local  to  .4  that  we  will  be  interested  in. 

1 .  Random  number  of  length  N. 

If  this  is  a  type  under  the  control  of  an  honest  principal, 
it  will  be  the  set  of  all  numbers  of  length  N,  together 
with  the  uniform  distribution.  If  it  is  under  the  direct 
control  of  the  intruder,  it  will  be  the  set  of  all  numbers 
of  length  N  with  an  undefined  probability  distribution. 
If  it  is  under  the  indirect  control  of  the  intruder,  it  will 
be  the  set  of  all  numbers  of  length  N. 

2.  Public  key  belonging  to  a  designated  princpal  B. 

This  is  a  type  consisting  of  one  member. 

3.  Digital  signature  on  a  message  M  using  a  public  key 
P. 

This  is  a  type  whose  domain  is  the  set  of  all  expres¬ 
sions  E  satisfying  the  digitial  signature  relationship 
with  M  and  P.  Note  that,  if  the  signature  scheme  is 
deterministic,  this  will  have  only  one  member.  If  the 
type  is  under  the  control  of  an  honest  principal,  the 
distribution  will  be  uniform  over  E. 

4.  MAC  taken  over  a  message  M,  using  a  key  K  that  A 
knows. 

This  is  a  type  uniformly  distributed  over  the  set  of  all 
expressions  E  satisfying  the  MAC  relation  with  K  and 
M.  Again,  if  the  MAC  is  deterministic,  this  will  have 
ony  one  member.  If  the  type  is  under  the  control  of  an 
honest  principal,  the  distribution  will  be  uniform  over 
E. 

3.3  Type  Function  Trees 

We  are  now  ready  to  use  types  to  construct  messages. 
The  most  obvious  way  would  be  to  represent  messages  as 


lists  of  types.  However,  this  is  not  adequate,  because  the 
types  that  may  be  used  in  a  message  may  depend  on  choices 
made  previously  for  other  fields  in  that  or  other  messages. 
Consider  the  following  example: 

Example  3.1  Let  M  be  the  message  created  by  A  of  the 
form  {“nonce"  ,N,  NONCE  a],  where  NONCEa  is  a 
nonce  of  length  N.  The  type  of  NONCEa  is  the  set  of 
numbers  of  length  N,  and  so  depends  upon  the  second  field 
of  the  message.  On  the  other  hand,  suppose  that  .4  com¬ 
putes  NONCEa,  and  sends  it  to  B,  who  computes  the 
message  [“nonce",  N,  NONCE  a],  where  N  is  the  length 
of  NONCEa ■  In  that  case  the  integer  N  depends  on 

NONCEa. 

We  formalize  the  dependence  of  later  choices  of  types 
upon  previous  choices  by  defining  the  notion  of  a  type  func¬ 
tion  tree  as  follows: 

Definition  3.4  A  type  function  tree  is  a  function  TZ  from 
lists  of  fields  to  types,  such  that: 

1.  The  empty  list  {)  is  in  Dorri  (7?.); 

2.  The  list  of  fields  (x\, . . .  ,xf)  is  in  Dom(72.)  if  and 

only  if  (x\, . . .  ,Xk-i)  £  Dom(7£)  and  Xu  £ 

K{{x  1,  .  .  ,  ;,Xk- 1)); 

5.  There  exists  an  integer  h,  called  the  height  of  TZ,  such 
that  for  any  n  >  h,  7Z((x  i , .  . . ,  xn))  =  {/.}  where  i  is 
the  empty  string. 

We  let  TZk  denote  the  restriction  ofR  to  k-tuples. 

The  order  in  which  types  appear  in  a  type  function  tree 
should  reflect  the  temporal  order  in  which  types  are  chosen 
and  the  causal  relationship  between  types,  not  necessarily 
the  order  in  which  they  appear  in  a  message.  We  thus  need 
to  define  the  relationship  between  a  type  function  tree  and 
the  message  it  represents  as  follows: 

Definition  3.5  Let  TZ  be  a  type  function  tree  of  height  h. 
Let  p  be  a  map  from  (1 , ...  ,q)  onto  some  (1 , ...  ,h).  We 
say  that  M  is  a  message  type  constructed  from  TZ  via  p  if 
M  consists  of  all  fields  of  the  form  yi\  \  . .  .  ||  yq  such  that 
there  exists  an  (x  \ , . . . ,  xf)  in  the  domain  ofTZh  such  that 
ij;  =  Xj  whenever  j  =  p(i).  We  call  p  a  message  surjection. 

Thus,  in  Example  3.1  the  first  message  type  is  con¬ 
structed  via  the  identity  function,  while  the  second  is  con¬ 
structed  via  a  p  defined  as  p(  1)  =  l,p(2)  =  3,  and 
P(  3)  =2. 

We  note,  in  particular,  that  if  TZ  is  a  type  function  tree 
correspondng  to  a  spoofed  message,  then  all  types  under  in¬ 
direct  control  of  the  intruder  should  appear  at  the  end  of  the 
tree.  This  is  because  the  members  of  these  types  are  not 


chosen  until  the  spoofed  message  is  matched  with  a  mas¬ 
querading  message,  while  the  members  of  the  other  types 
will  have  been  chosen  prior  to  a  principal's  receiving  a  mas¬ 
querading  message. 

Our  purpose  in  constructing  type  function  trees  will,  of 
course,  be  the  construction  of  messages  of  one  type  that  can 
be  mistaken  for  messages  of  another  type.  Consider,  for 
example,  the  following  protocol: 

Example  3.2  We  consider  two  instances  of  a  simple 
challenge-response  protocol: 

1.  A  — >  B  :  N a;  where  Na  is  an  abitrary  nonce  of 
length  N; 

2.  B  — »■  A  :  Ng,  Sb(Na,  Ng);  where  Nb  is  an  arbi¬ 
trary  nonce  of  length  N ; 

3.  A  — >  B  :  Sa(Nb,  N'a);  where  N'A  is  an  arbitrary 
nonce  of  length  N ; 

and 

1.  B  ->■  A:  N”; 

2.  A^B:N'f,SA(K,N'i); 

3.  I)  >  A  :  Sb(N'[.  \%) 

We  want  to  see  if  it  is  possible  to  trick  .4  into  accepting 
a  second  message  from  an  honest  principal  B  in  the  first 
instance  of  the  protocol  as  a  third  message  from  B  in  the 
second  instance  of  the  protocol.  That  is,  we  want  to  see  if  it 
is  possible  to  trick  A  into  accepting  a  message  Sb{X,  Nb). 
as  one  of  the  form  S b  ( NA ,  V),  where  X  and  Y  are  supplied 
by  the  intruder.  At  first  this  seems  easy;  we  let  X  =  NA 
and  then  we  get  Y  =  Nb-  Suppose  that  NA  is  generated, 
and  learned  by  the  intruder,  before  X  and  Nb  is  generated 
before  Y .  Since  Y  is  generated  after  NA  and  X  before  N b, 
this  gives  us  a  possible  type  function  tree  as  follows: 

1.  TZ(())  =  Na 

Na  is  a  type  under  control  of  A  consisting  of  all  inte¬ 
gers  of  a  fixed  length  N,  uniformly  distributed. 

2.  TZ((x i))  =  X 

X  is  a  type  under  direct  control  of  the  intruder.  It  cor¬ 
responds  to  the  first  field  in  the  signed  part  of  the  sec¬ 
ond  message  of  the  protocol. 

3.  TZ((xi,xo))  =  Nb 

Nb  is  a  type  under  control  of  B  consisting  of  all  inte¬ 
gers  of  length  N,  also  uniformly  distributed. 

4.  TZ((x1,x-2,x3))  =  Y 

Y  is  a  type  under  indirect  control  of  the  intruder.  It 
corresponds  to  the  first  field  in  the  signed  part  of  the 
third  message  of  the  protocol. 


5.  TZ{{xi,x-2,xz,xa))  =  L 

We  begin  by  having  A  choose  a  field  x\  randomly  from 
N 4.  Clearly,  the  only  strategy  available  to  the  intruder  is  to 
choose  x-2  =  x  1 ,  which,  since  x  1  has  already  been  revealed, 
can  be  done  with  probability  one.  We  next  let  B  choose  x-:> 
randomly  from  N A  .  Once  that  is  done,  we  can  let  x,t  =  x:> . 

On  the  other  hand,  suppose  that  the  intruder  generates 
X  before  learning  A’" .  In  that  case  the  type  function  tree 
could  be  defined  as  follows: 

1.  TZ(())=X 

2.  n({Xl))  =  Nb 

3.  n{{xux2))  =  N'X 

4.  n({x !,X2,X3))  =  Y 

5.  U((X l,X2,X3,Xt))  =  L 

where  the  types  are  defined  as  above.  We  now  begin  by 
having  the  intruder  choose  a  field  x,\  from  X  according  to 
some  probability  distribution  8  and  B  choose  ./■■_>  randomly 
from  Nb  ■  But  now  when  A  chooses  £3  randomly  form  N'j 
the  probability  that  2:3  =  x\  is  only  1/2A .  Thus,  the  prob¬ 
ability  of  a  successful  type  confusion  attack  changes  from 
certain  to  negligible,  no  matter  what  the  choice  of  8  is. 

We  see  from  the  above  examples  that  we  can  think  of 
the  intruder’s  attempt  to  pass  off  a  message  of  one  type  as  a 
message  of  another  type  as  a  game  between  the  intruder  and 
the  honest  principals.  The  intruder  and  the  honest  principals 
choose  various  members  of  types  in  a  type  function  tree,  ac¬ 
cording  to  whether  the  type  is  under  control  of  the  intruder 
or  an  honest  principal.  If  the  honest  principal  is  doing  the 
choosing,  it  uses  the  probability  distribution  specified  in  the 
protocol.  If  the  intruder  is  doing  the  choosing  directly,  it 
uses  a  strategy  most  likely  to  maximize  the  probability  of 
one  message  being  accepted  as  another.  If  the  type  is  under 
the  indirect  control  of  the  intruder  we  attempt  to  determine 
if  there  is  any  value  satisfying  the  constraints  of  the  type 
that  will  make  the  two  messages  equal.  In  the  next  section, 
we  will  formalize  this  and  make  it  explicit. 

4  Type  Confusion  Games 

In  this  section  we  show  how  we  can  model  an  attempt  by 
an  intruder  to  convince  an  honest  principal  A  to  construct 
a  masqerading  message  that  can  be  accepted  as  a  spoofed 
message  by  an  honest  principal  B  in  terms  of  a  game  be¬ 
tween  the  intruder  and  the  honest  principals.  We  also  de¬ 
scribe  a  procedure,  similar  to  the  “zipper”  described  in  [10] 
for  verifying  that  no  type  confusion  attack  is  possible,  and 
for  narrowing  down  the  search  for  type  confusion  attacks  if 
one  is  possible. 


We  start  by  bidding  a  type  function  tree  that  represents 
the  construction  of  both  masquerading  and  spoofed  mes¬ 
sages.  This  is  because,  as  was  made  clear  in  our  discussion 
of  Example  3.2,  we  need  to  keep  the  relative  timing  of  the 
creation  of  the  various  fields  of  the  two  messages  straight. 
However,  we  also  need  to  describe  the  two  messages  as  type 
function  trees.  We  describe  how  to  build  a  type  function  tree 
out  of  two  type  function  trees  as  follows: 

Definition  4.1  Let  1Z  \  and  IZ-i  be  two  type  function  trees 
of  height  h\  and  hz,  respectively.  We  define  an  inter¬ 
leaving  L  of  IZi  and  TZ 2  inductively  as  follows.  Let  6\ 
and  62  be  monotone  increasing  injections  of  (1, ... ,  hi) 
and  (1, . . . ,  /12),  respectively  into  (1, ....  h),  such  that  each 
member  of  (1, ...  ,h)  is  in  the  image  of  81  or  82- 

1.  If  1  is  in  the  image  of8{,  we  define  !(())  =  7\.,;({)). 

2.  Suppose  that  X((x  1, .  . .  x^-i))  =  T,  and  that  k 
is  in  the  image  of  Of.  For  each  x *  G  T  we  de¬ 
fine  I({xi, ...  pxf))  to  be  lZi({xj1 , . . .  ,xjt)),  where 
(j  1 , .  . . ,  jf]  is  the  maximal  subsequence  of  (1, ...  k  — 
1)  in  the  image  of  8\. 

We  leave  it  as  an  exercise  to  the  reader  to  show  that  an 
interleaving  of  two  type  function  trees  is  a  type  function 
tree  if  the  images  of  81  and  82  are  disjoint  or  if  TZ\  =  TZ{ 
whenever  8\  (i)  =  82  (j). 

The  reason  we  allow  the  possibility  of  8i{i)  =  82U) 
is  that  the  two  messages  might  make  use  of  common  data. 
For  example,  consider  a  protocol,  such  as  the  Internet  Key 
Exchange  protocol,  which  operates  in  two  stages,  the  first 
in  which  principals  establish  (among  other  things)  data  that 
will  appear  in  the  headers  of  any  messages  passed  in  the 
second  stage.  If  we  then  want  to  compare  two  messages 
passed  in  the  second  stage,  we  might  want  to  make  use  of 
the  fact  that  they  contain  this  common  information  that  was 
created  in  the  first  stage. 

The  purpose  befind  the  definition  of  an  interleaving  of 
two  type  function  trees  is  to  preserve  the  causal  ordering 
of  data  in  two  messages.  If  the  choice  of  a  member  of  a 
type  X  influences  the  choice  of  a  member  of  a  type  Y  in 
another,  then  X  should  precede  Y  in  the  interleaving  of  the 
two  trees.  In  particular,  types  under  indirect  control  in  the 
spoofed  message  will  always  come  after  any  type  from  a 
masquerading  message,  since  the  choice  of  the  members 
of  the  types  under  indirect  control  of  the  intruder  in  the 
spoofed  message  will  be  determined  by  the  choices  of  the 
members  of  the  types  in  the  masquerading  message.  Since 
moreover  types  under  indirect  control  of  the  intruder  come 
last  in  the  spoofed  message  function  tree,  we  conclude  that 
types  under  indirect  control  of  the  intruder  come  last  in  the 
interleaved  type  function  tree. 

We  are  now  finally  ready  to  define  a  type  confusion  game 
between  the  intruder  and  the  honest  principals  in  a  protocol. 


Definition  4.2  Let  S\  and  S-i  be  two  type  function  trees  of 
height  hi  and  h-2  respectively,  and  corresponding  to  mas¬ 
querading  message  and  spoofed  message  respectively.  Let 
pi  and  p-2  be  the  message  surjections  from  to 

(1, . . .  hi)  and  from  (1, . . .  tf)  to  (1, . . .  hi),  respectively, 
belonging  to  Si  and  Si,.  Let  L  be  a  an  interleaving  of  Si 
and  S-2.  We  define  a  type  confusion  game  between  the  in¬ 
truder  and  the  honest  principals  as  follows: 

1.  If !(())  is  a  type  under  control  of  an  honest  principal, 
let  pi  be  the  probability  distribution  associated  with  it. 
For  each  member  xi,  let  q((x i))  =  Pi(xi). 

2.  If  1(0)  is  a  type  under  direct  control  of  the  intruder, 
choose  a  probability  distribution  <5j  and  choose  a  mem¬ 
ber  xi  ofL(i).  Let  q((xi))  =  <5i(.ti). 

3.  Suppose  that  (xi, .  . .  ,xk)  have  already  been  chosen, 
and  that  l((xi , .  . .  ,  xk))  is  a  type  under  the  con¬ 
trol  of  an  honest  principal.  Let  Pk+i  be  the  prob¬ 
ability  distribution  associated  with  T((x i, . . .  ,xk)). 
Then  for  each  member  x^+i  of  I((x i, .  . .  ,xk)),  let 
q({x  i,.,.,xk))  =Pk+  i(xk+1)% 

4.  Suppose  that  (xi , . .  . ,  xk)  have  already  been  cho¬ 

sen,  and  that  T((x\ , .  . .  ,  x k))  is  under  the  direct  con¬ 
trol  of  the  intruder.  Choose  a  probability  distri¬ 
bution  on  T((xn  .  . .  ,xk)).  For  each  member 

xk+i  of  X((xi, . . .  ,xk)),  let  q((xi,...,xk+i))  = 
h+i(xk+i). 

5.  Suppose  that  (xi, . . .  ,xk)  have  already  been  chosen, 
and  that  I((x\, . .  .  ,xk))  is  under  the  indirect  con¬ 
trol  of  the  intruder.  Then  choose  a  member  xk+\  of 
l((xi,.  . .  ,xk)).  Let  qk+i((xi,.  . .  , xk  .  i )  I  be  1,  and 
qk+i({xi, . .  .  ,xk,y))  be  0  for  all  other  members  of 
1({x  i,  ■  •  -,xk)). 

We  define  a  strategy  for  the  intruder  to  be  a  choice  of 
probability  distributions  for  the  types  under  the  intruder’s 
direct  control  and  members  of  types  under  the  intruder’s 
indirect  control,  which  may  be  dependent  upon  previous 
choices  made  by  the  honest  principals. 

Given  a  strategy  ST  ( that  is,  a  particular  choice  ST  of 
probability  distributions  and  type  members),  we  let  Qst  be 
the  probability  distribution  defined  by  Qst((x i  ,  ■  ■  ■  %h))  = 
nti  .  Xj)),  where  q  is  defined  as  above. 

Let  p  be  a  number  between  0  and  1.  We  say  that  the  in¬ 
truder  has  a  winning  strategy  with  respect  to  p  if  there  is 
some  strategy  ST  such  that 

Qst(x  s.t.  iCpjfl)  1 1  •  •  •  |  \xpi(ti))  —  X  p2  ( 1)  1 1  •  •  •  I \Xp2(t2)  )  — 
p- 

We  now  construct  a  procedure,  similar  to  the  “zipper" 
defined  in  [10],  for  helping  to  determine  if  the  intruder  has 


a  winning  strategy.  It  is  based  on  the  fact  that  generally, 
the  intruder’s  success  in  inducing  type  confusion  will  de¬ 
pend  on  which  types  he  tries  to  match  with  each  other.  The 
probability  of  success  will  thus  depend  on  which  types  in 
the  masquerading  message  overlap  with  which  types  in  the 
spoofed  message.  This  will  induce  constraints  on  lengths  of 
fields  in  the  respective  messages.  Thus  it  will  be  important 
to  have  a  complete  list  of  the  possible  constraints.  We  do 
this  by  computing  all  possible  length  constraints  on  the  two 
sequence  of  message  fields  being  matched,  as  follows. 

Definition  4.3  If  x  is  a  bitstring,  we  let  l(x)  denote  the 
length  of  x.  Let  (i i, . .  ,  im)  and  (j\, . .  .  ,jn)  be  two  sets 
of  indices.  We  construct  a  constraint  tree  as  follows: 

1.  The  root  of  the  constraint  tree  is  the  empty  set.  We  call 
this  the  O’th  level  of  the  tree. 

2.  The  children  of  the  root,  referred  to  as  the  first  level  of 
the  tree,  are  the  nodes 

•  Ci  =  {/(atjj  <  l(xh)} 

•  Co  =  {/(.'cil)  >  l(xh),l(xh)  <  l(xh)  + 

l(Xj2)} 

•  C n  —  {l (xj:1 )  l(xj1  T  . . .  T  l(xjn S 
l(xh)  +  ...+l(Xj  „)} 

3.  We  construct  the  s  +  l’th  level  of  the  tree,  where  s  < 
n  —  1,  as  follows.  If  D  is  a  node  such  that  the  largest  v 
such  that^Xif)  +  . .  .  +  l(xjv)  <  l(xj1  +  . .  .  +  l(xjt) 
appears  in  D  for  some  t  is  s,  construct  the  child  nodes 
of  D  as  follows: 

•  Di  =  D  U  OOcjj)  +  . . .  +  l(xis+1)  <  l(xj j  + 

•  •  •  T  l(xjt)j  { l  (  r  i  | )  T  . . .  T  l(xit)  f  l(Xj  j  -f 
...  +  l(xjt)} 

•  D2  =  D  U  {/(.r, r)  +  . . .  +  l(xj3+1)  >  l(xj j  + 

.  .  .  T  l(Xjt ),  {7  ( j !  ]  “f  . . .  T  l(x  f  l(Xj1  -f 
. . .  +  l(xJt+1 )} 


•  D„_(  =  D  U  {/(xjj)  +  . .  .+l(xie+1)  >  l(xJl  + 
■  •  •  T  l(xjn_  1 ) ,  \l  (x )  T  .  .  .  T  l(Xis  +  1 )  f  Ijxjy  + 
■■■  +  l(Xj  „)} 

4.  We  construct  the  n’th  level  of  the  tree  as  follows.  Sup¬ 
pose  that  D  is  a  node  in  the  n  —  1  ’st  level  such  that  the 
constraint l(x if)  + . .  ■  +  l(xin_1)  <  l(xj1  +. .  .  +  l(xjt ) 
appears  in  D.  Then 

•  Di  =  DU{[(;c,:1)  +  .  .  -+l(xin)  =  l(xj1  +...+ 
^  (:^m  )  }  f  (Xi1 )  T . .  .  +  l(Xin_1 )  f  l(xj1  T  ■  •  ■  T 
l(xjt)j. 


Example  4.1  To  see  how  this  works,  consider  two  se¬ 
quences  ( ti,To,t3 )  and  (x4 .  t3 ) .  The  nodes  at  level  one 
are: 

•  D\  =  {l(x i  <  l(x 4)}; 

•  D-2  =  {l(x  1)  >  /(.T4),Z(t  1)  <  l(x 4)  +  Z(.T5)}. 

The  nodes  at  level  two  are: 

•  D(11)  =  {l{x  1)  +l{x 2)  <  l(x4)}; 

•  D(l,2)  =  {l(x  1  <  l(x4),l(xi)  +  l(x  2)  > 

Z(t4),Z(t  1)  +  /(.To)  <  Z(t4)  +  /(t5)}; 

•  -0(2,2)  =  {/(.Tl)  >  l(x4),l(x  1)  +  /(.To)  <  /(.T4)  + 

/(t5)}. 

77ze  nodes  at  level  three  are: 

•  D(l,l,l)  =  Wx  1)  +  l(x 2)  <  /(t4),/( Ti)  +  /(.To)  + 
/(t3)  =  /(t4)  +  Z(t5)}; 

•  £>(1,2,1)  =  {Z(ti  <  /(  t4),/(ti)  +  /(.To)  > 

/(t4),/(.Ti)  +  /(.To)  +  /(.Tg)  =  /(t4)  +  Z(t3)} 

•  £>(2,2,2)  =  W-'El)  >  Z(t4),/(ti)  +  /(to)  +  Z(t3)  = 
Z(t4)  4-  Z(t5)}. 

We  now  need  to  define  what  it  means  for  a  sequence  of 
fields  to  be  consistent  with  a  set  of  inequalities. 

Definition  4.4  Let  Q  be  a  set  of  inequalities  and  equalities 
defined  in  terms  of  variables  (Xi, .  . .  ,  Xjy).  We  will  say 
that  a  sequence  of  fields  (t4  , .  . . ,  xr)  where  r  <  M  is  con¬ 
sistent  with  (or  <0  Q  if  the  result  of  substituting  x  \  for  X] 
through  xr  for  Xr  does  not  imply  any  contradictions. 

We  are  now  ready  to  define  a  procedure  for  verifying  se¬ 
curity  against  type  confusion  attacks.  As  we  said  before,  it 
is  similar  to  the“zipper”  of  [10],  The  main  difference  is 
that  instead  of  matching  up  fields  according  to  the  order 
in  which  they  appear  in  the  message,  we  match  them  in  a 
way  consistent  with  the  causal  order  in  which  they  are  com¬ 
puted.  This  allows  us  to  compute  the  probability  of  a  suc¬ 
cessful  type  confusion  using  the  probabilities  taken  from  a 
type  function  tree  instead  of  computing  probabilities  in  an 
ad  hoc  fashion.  We  refer  to  this  new  version  of  the  zipper 
as  a  “gap-toothed  zipper”. 

We  proceed  as  follows. 

Definition  4.5  Let  1Z  and  S  be  two  type  function  trees 
of  height  h\  and  h2,  respectively,  where  a  masquerading 
message  is  constructed  from  7Z  using  a  function  p\  from 
(1, .  . .  t\)  onto  (1, ...  hi)  and  a  spoofed  message  is  con¬ 
structed  from  S  using  a  function  p2  from  (1, .  . .  t-f)  onto 
(1, .  . .  h-f).  Let  I  be  an  interleaving  of  TZ  and  S,  con¬ 
structed  using  injections  61  and  6 o.  Let  p  be  a  number 


between  zero  and  one.  We  define  Z(T,p),  the  gap-toothed 
zipper  over  I  and  p  as  follows. 

Let  E  be  the  equation  Tg;,, opi ( 1 )  1 1  .  . .  \\xe1oP1(t1j  = 
T02°p2(i)ll  •  •  •  \\x02°p2(t2)-  Let  T  be  the  constraint  tree 
constructed  from  the  two  sequences  of  indices  {61  o 
pi(l),...,6iopi(ti)  and  (0-2  °  P2(l),  ■  ■  • ,  0-2  °Pi(/2)-  For 
each  leaf  C  of  the  constraint  tree,  construct  a  sequence  of 
sets  of  pairs  G(i\C)  =  ((ti  , . . .  ,xr),  q((xi , . . . ,  xr)))  as 
follows: 

1.  We  construct  G(1,CU  {E})  as  follows. 

la.  If !(())  is  a  type  under  control  of  an  honest  prin¬ 
cipal  Let  G(l,  C  U  {E})  =  {((ti),jjq((ti)))  | 

Ti  €  F(())  A  Ti  <  C  U  {E}},  where  pq  is  the 
probability  distribution  associated  with  X({)). 

lb.  If  !(())  is  a  type  under  direct  control  of 

a  dishonest  principal,  let  G(1,CU{E})  = 

{((ti),^(ti))  I  ti  el(())  A.ti<CU{E}}, 
where  Sq  is  the  ( as  yet  undefined)  probability  dis¬ 
tribution  associated  with  !({)). 

Note  that  by  construction  X({))  cannot  be  under  the 
indirect  control  of  the  intruder. 

2.  Suppose  that  G(r  —  1,C  U  {E})  is  known.  We  let 
G(r,  C  U  {E})  be  the  union  of  all  H((  Ti, .  . .  Tr_i)) 
such  that  ((xi , .  . .  xr-i),  g((xi , .  . .  ,  Tr_i)))  G  G(r  — 

1,  C  U  {E}),  where  H((xi , . .  .  t,._i)  is  defined  as  be¬ 
low. 

2a.  For  each  ((ti9  . . .  Tr_i),  g((xi, , . . ,  zr-i}))  in 
G(r  —  1,  C  U  {E})  such  that  TZ((xi , . . . ,  t,._i)) 
is  under  the  control  of  an  honest  principal, 

1 1  (  (t  1 , , .  ../>  1))  = 

{((xi,...Xr),g({xit..:Xr))  | 

(ti,  . . .  ,xr)  <  C  U  {E}  A  g((x,.. .  ,xr))  >  0} 
where  g((xi ,  ■  ■  ■  xr ))  = 

p{x1,...xr-1)({xl,  ■  ■  -xr)))  ■  g((xl,---,xr-l))) 
where  p(Xl,...xr_1)  * s  the  probability  distribution 
associated  with  T(( xi , . . . ,  Tr_i)). 

2b.  For  each  ((xi , . . .  t,._i  (,  g((xi , . . . ,  Tr_i)))  in 
G(r  —  1,  CU{E})  such  thatl((xi , . . .  ,t,._i))  is 
under  the  direct  control  of  a  dishonest  principal, 
let  g((xi ....  Tr))  =  ^(.r1,...a;r_I)( (.Tl ,  •  •  ■  T/.)))  • 
g(( Ti, . . .  Tr))  where  ^(Xl,...Xr_1)  is  the  (as  yet 
unknown )  probability  distribu¬ 

tion  associated  with  I((ti,  . . .  ,Tr_i)),  and  let 

H(( Tl,  •  •  .T,._i)  = 

{(<Tl,  •  .  .T, .),<?(  (Tl,  .  .  .  ,Tr))) 

|  (ti,  . . .  ,xr)  <  c  U  {E}  A  g((xu.  ..xr)))} 

2c.  For  each  \{,g(x\...,-,xv  ill  G 

G(r  —  1,  C  U  {E})  such  thatl({x\ , . . . , t,._i)) 
is  under  the  indirect  control  of  a  dishon¬ 
est  principal,  then,  if  there  is  a  field  xr  G 


I((x\ , . . . , xr-\))  such  that  ( x\ , . . . ,  sf_i)<iCU 
{E}  (by  construction  there  is  at  most  one  such 
xrfor  each  (xi , . .  . ,  xr-\)),  let  g(x i , . . . ,  xr)  = 
g(x  i,...,xr-i),  and  let  H((x\, .  . .  xr-\)  = 
{({x],...xr).g(x].....xr))\. 

We  let  E(/i,  C  U  {E})  be  the  sum  of  all  g(x)  such  that 
(x,g)eG(h,  CU{E}) 

By  construction,  for  each  leaf  node  C  of  the  length  con¬ 
straint  tree,  we  conclude  that  E G(h,  C  U  {E})  is  the  prob¬ 
ability  that  there  exists  a  sequence  (x  i . . .  .xf)  satisfying 
E  and  C.  Let  p  be  a  number  between  0  and  1.  Clearly, 
if  E G(h,  C  U  {E})  <  p  for  all  C  and  all  choices  for  the 
probability  distributions  8  under  the  direct  control  of  the  in¬ 
truder,  then  the  intruder  has  no  winning  strategy.  On  the 
other  hand,  if  there  is  a  C  and  some  choices  of  8  that  makes 
E G{h,  C  U  {E})  >  p,  then  it  may  be  possible,  given  certain 
assumptions  about  the  length  choices  of  the  honest  princi¬ 
pals,  to  find  length  choices  for  the  intruder  that  will  guaran¬ 
tee  consistency  with  C,  and  thus  produce  a  winning  strat¬ 
egy- 

In  order  to  show  how  such  a  procedure  could  work,  we 
apply  it  to  Example  3.2.  This  time,  however,  we  relax  the 
condition  that  all  nonces  be  the  same  length,  to  allow  nonces 
of  any  length.  Thus,  the  masquerading  message,  made  out 
of  types  local  to  B,  is  of  the  form  (X,  Ng)  where  Ng  is  a 
nonce  under  the  control  of  A,  and  X  is  under  the  direct  con¬ 
trol  of  the  intruder,  and  the  spoofed  message,  made  out  of 
types  local  to  A,  is  ( N1) .  Y),  where  N1)  is  under  the  control 
of  A  and  V  is  under  the  indirect  control  of  the  intruder.  We 
assume  that  the  honest  principals  choose  the  length  of  the 
nonces  first,  and  then  choose  random  nonces  of  that  length. 
Since  X  is  chosen  before  Ng  we  then  let  the  function  tree 
1Z  for  ( A’ ,  Ng)  be  defined  as 

1.  TZ(())=X 

2.  =  Ng 

3.  H((zi,z2})  =  t 

Since  V  is  under  the  indirect  control  of  the  intruder,  it  is 
not  generated  until  the  spoofed  message  is  received,  which 
is  after  V" .  Thus  the  function  tree  S  is  defined  as 

1.  S(  {))  =  JV" 

2-  S((Vl))=Y 

3-  S({yuy2))  =  i 

In  this  case  ,  pi  and  p2  are  both  the  identity  function. 

Suppose  that  we  assume  that  the  member  of  X  is  chosen 
after  the  member  of  ;V'( .  Then,  in  our  construction  of  the 
interleaving  T,  we  have  6\  o  p\(l)  =  2 , 6\  o  pi{2)  =  3  , 
02  o  p2(l)  =  1,  and  02  o  p2( 2)  =  4. 


In  this  case,  E  is  .'C2||.'T3  =  X]  \  \x4.  The  length  con¬ 
straint  tree  corresponding  to  this  game  has  only  two  leaves: 

Ci  =  {l(x2)  <  l(xi),l(x2)  +  l(x 3)  =  l(x i)  +  l(x4)}, 

and 

C2  =  {l(x 2)  >  l(x i),l(x2)  +  l(x3 )  =  l(x r)  +  l(x4)}. 

Given  a  number  p  between  0  and  1 ,  we  wish  to  deter¬ 
mine  if  there  is  a  winning  strategy  with  respect  to  p  in  the 
resulting  type  confusion  game.  We  will  restrict  ourselves  to 
the  case  in  which  the  intruder  and  honest  principals  choose 
a  length  for  the  values  under  their  direct  control  (or  have 
it  chosen  for  them)  prior  to  engaging  in  the  type  confusion 
game. 

We  start  with  Ci.  This  set  of  length  constraints  is  illus¬ 
trated  by  the  figure  below: 


x2  =  X 

X3  —  Nb 

xi  =NX 

><: 

i. 

II 

*! 

Figure  1.  Messages  obeying  Ci  constraints 


1.  We  choose  aq  first,  which  belongs  to  a  type  un¬ 
der  control  of  A.  Any  choice  of  x  \  is  consistent 
with  Ci  U  {E},  so  G(l,  Ci  U  {E})  is  the  set  of  all 
(x\,  1/2^ ,ri').  Its  cardinality  is  2,i  ri  *. 

2.  We  then  choose  x2,  which  belongs  to  a  type  under 
direct  control  of  the  intruder.  If  x\  and  x2  obey  the 
length  constraints  in  Ci,  then  they  are  consistent  with 
E  if  and  only  if  x2  is  equal  to  the  first  l(x 2)  bits  of 
x\.  Thus,  the  only  strategy  available  to  the  intruder, 
given  a  particular  value  of  x  \ ,  is  to  choose  x2  equal  to 
the  first  l(x2)  bits  of  x\.  Thus,  G( 2,  Ci  U  {E})  is  the 
set  of  all  such  ((xi,x2),  1/2^*^),  and  its  cardinality 
is2'(*l) 

3.  We  now  choose  x;>,  which  is  under  control  of  B. 

The  values  ,7:3  and  xi  overlap  on  the  last  l(x  1)  — 
l(x 2)  bits  of  x\.  Since  both  values  are  chosen  in¬ 
dependently  with  uniform  distribution,  the  probabil¬ 
ity  of  E  being  satisfied,  that  is,  that  the  values  agree 
on  these  l(x  1)  —  l(x2)  bits,  is  l/2,'  ,  ':  For 

any  (xi,x2)  consistent  with  Ci  U  {E},  the  cardinal¬ 
ity  of  the  set  of  x3  consistent  with  these  constraints 
js  2,u'3i  /i  n .  • Since  x\  and  x3  are  chosen 
with  uniform  distribution,  we  have  G(3,  Ci  U  {E})  is 
the  set  of  all  such  ((x\,x2,x3) ,  where 


(x\ ,  x-2 ,  xz)  is  consistent  with  these  constraints,  and  its 
cardinality  is  2%-2)+H»s)_ 

4.  Finally,  we  have  X4,  under  the  indirect  control  of  the 
intruder.  This  is  set  equal  to  the  last  l(x 4)  bits  of  x\. 

Thus  G( 4,  Ci  U  {E})  is  the  set 

of  all  ((xi,x-2,X3,X4),  l/2/(-ri)+i('1'3)  such  that  x\,xi,xz, 
and  X4  satisfy  the  constraints  of  Ci  U  {E}.  Its  cardinality 
is  2,*-r-' '  h  Thus,  given  any  fixed  choice  for  the  lengths 
of  x\ ,  x-2 ,  X3,  and  x  t  satisfying  Ci,  the  probability  of  a  suc¬ 
cessful  type  confusion  attack  is  l/2l(xz)-l(xi) , 

We  now  look  at  C2-  We  assume  that  l(x  1),  l{xn),  l(xz), 
and  l(x 4)  have  been  chosen  to  be  consistent  with  C2-  This 
set  of  constraints  is  given  by  the  figure  below: 


x2  =  X  x3  =  Nb 


Figure  2.  Messages  obeying  C2  constraints 


1.  As  in  the  case  of  Ci,  all  choices  of  x\  are  consistent 
with  Ci  U  {E}.  Thus  G(l,  Ci  U  {E})  is  the  set  of  all 
(xi,  l/2/(,Cl)),  and  its  cardinality  is  2li-Xl\ 

2.  For  each  choice  of  xi,  choose  X2,  which  belongs  to 
a  type  under  direct  control  of  the  intruder.  We  need 
to  choose  the  first  l(x  1)  bits  of  x-2  equal  to  xi;  the 
rest  are  free.  Thus  G'(2,  Ci  U  {E})  is  the  set  of  all 
such  ((xi  ,X2, ),  l/2/('ll))  •  <5(,ri)(x 2)).  Its  cardinality 
is  2*('ri)+/('C2)-*('Cl)  =  2/(,C2)  The  only  restriction  on 

so  far  is  that  it  be  nonzero  only  when  the  first 
/ ( x  1 )  bits  of  X2  are  equal  to  xi . 

3.  We  now  choose  X3,  which  is  under  the  direct  control 
B.  According  to  the  length  constraints  in  C2,  the  value 
X3  does  not  overlap  with  any  of  the  values  previously 
chosen,  so  any  choice  of  X3  is  consistent  with  E.  The 
distribution  of  X3  is  uniform,  so  we  have  G'(3,  C2  U 
{E})  =  (<xi,x2,x3),  1/2Hxi)+1{xs'>  ■  5{xi)(x2)),  and 
its  cardinality  is  equal  to  2(G2)+Ar3) 

4.  Finally,  we  set  X4,  which  is  under  the  indirect  control 
of  the  intruder,  to  be  equal  to  the  last  l(x 2)  —  l(x  1)  bits 
of  X2  concatenated  with  Xg.  We  thus  have  G’(4,  C2  U 
{E})  =  {((xi,X2,x3,x4),l/2*(j;i)+h^3).(5(^)(;r2))} 


Summing  up  all  the  probabilities  from  G(4,  C2  U  {E}) 
gives  a  total  of  1  no  matter  what  choice  of  6,  as  long  as  it  is 
nonzero  only  when  the  first  l(x  1 )  bits  of  xg  equal  xi . 

5  Conclusion  and  Discussion 

We  have  presented  a  formal  model  and  procedure  for  de¬ 
termining  whether  or  not  type  confusions  are  possible  in 
signed  messages  in  a  cryptographic  protocol.  Our  approach 
has  certain  advantages  over  previous  applications  of  formal 
methods  to  type  confusion;  we  can  take  into  account  the 
possibility  that  an  attacker  could  cause  pieces  of  message 
fields  to  be  confused  with  each  other,  as  well  as  entire  fields. 
This  allows  one  to  determine  whether  or  not  there  is  any 
strategy  available  to  the  attacker  that  will  raise  the  probabil¬ 
ity  of  a  successful  attack  above  some  predetermined  thresh¬ 
old.  The  approach  is  an  improvement  over  our  previous 
work  in  [10]  in  that  it  offers  an  explicit  model  of  the  behav¬ 
ior  of  attacker  and  honest  principals  in  terms  of  a  type  con¬ 
fusion  tree,  allowing  one  to  use  the  probabilities  specified 
in  the  tree  to  compute  directly  the  probability  a  successful 
attack.  Moreover,  our  model,  by  separating  the  causal  rela¬ 
tionships  among  types  from  the  order  in  which  they  appear 
in  the  messages,  allows  the  user  to  experiment  with  differ¬ 
ent  assumptions  about  the  causal  ordering  of  message  fields, 
or  about  which  message  fields  come  from  trusted  and  which 
come  from  untrusted  principals. 

There  are  several  ways  in  which  this  work  could  be  ex¬ 
tended.  One  would  be  to  extend  the  method  to  type  func¬ 
tion  trees  of  unbounded  height.  For  arbitrary  trees,  this  will 
probably  be  impossible,  but  most  messages  containing  an 
unbounded  number  of  terms  only  contain  an  unbounded  list 
of  fields  of  the  same  type,  e.g.  a  message  used  to  deliver 
an  unbounded  number  of  keys.  Thus  it  may  be  possible  to 
develop  inductive  techniques  to  deal  with  this  problem. 

Another,  more  longterm  goal,  is  to  extend  this  work  to 
deal  with  confusion,  not  only  about  the  content  of  messages, 
but  the  way  in  which  they  are  encrypted  or  authenticated. 
As  we  see  from  the  work  of  Bellovin  [3]  and  Stubblebine 
and  Gligor  [13]  such  type  confusion,  in  particular  involving 
modes  of  encryption,  can  have  serious  effects  on  the  secu¬ 
rity  of  a  system.  In  an  analogy  to  our  experience  with  type 
confusion  of  GDOI,  we  were  able  to  use  the  NRL  Proto¬ 
col  Analyzer  to  reproduce  some  of  Bellovin’s  attacks  on  the 
Encapsulating  Security  Protocol  in  [15],  but  we  were  not 
able  to  use  the  tool  to  perform  a  complete  analysis  of  the 
problem.  Moreover,  the  problem  becomes  somewhat  more 
complicated  than  type  confusion  of  message  content  in  that 
we  may  need  to  consider  the  interaction  between  two  type 
systems,  that  of  the  plaintext  and  that  of  the  ciphertext.  It 
will  be  interesting  to  see  if  our  approach  can  be  extended  to 
this  problem,  which  has  seen  relatively  little  exploration  in 
the  formal  methods  community.  One  exception  is  the  work 


of  Stubblebine,  Gligor,  and  Kailar  on  the  guarantee  of  mes¬ 
sage  integrity  protection  in  protocols  [6,  14],  The  problem 
that  they  study,  the  ability  of  an  intruder  to  create  a  rec¬ 
ognizable  message  (instead  of  spoofing  a  particular  one)  is 
slightly  different  than  ours,  but  there  is  enough  in  common 
so  that  many  of  their  techniques  may  be  applicable. 

Finally,  it  might  be  useful  to  investigate  the  integration 
of  this  model  with  more  mathematically  rigorous  models 
of  cryptography.  At  present  we  have  populated  our  type 
function  trees  with  relatively  simplistic  assumptions  about 
probability  distributions  related  to  random  number  genera¬ 
tion,  encryption,  and  so  forth.  This  may  be  all  that  we  need, 
but  it  might  be  useful  to  see  if  applying  any  of  the  currently 
available  mathematical  models  of  cryptography,  or  any  of 
the  emerging  techniques  for  wedding  these  with  formal  log¬ 
ical  models  as  in  [11],  would  be  of  help  here. 
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